diff --git a/ykcs11/obj_types.h b/ykcs11/obj_types.h index 7e9d83d..5e8aa4b 100644 --- a/ykcs11/obj_types.h +++ b/ykcs11/obj_types.h @@ -5,84 +5,103 @@ // TODO: this is mostly from OpenSC, how to give credit? typedef enum { - PIV_OBJ_CCC = 0, // Card capability container - PIV_OBJ_CHUI, // Cardholder unique id - /* PIV_OBJ_UCHUI is not in new with 800-73-2 */ - PIV_OBJ_X509_PIV_AUTH, // PIV authentication - PIV_OBJ_CHF, // Cardholder fingerprints - PIV_OBJ_SEC_OBJ, // Security object - PIV_OBJ_CHFI, // Cardholder facial images - PIV_OBJ_X509_CARD_AUTH, // Certificate for card authentication - PIV_OBJ_X509_DS, // Certificate for digital signature - PIV_OBJ_X509_KM, // Certificate for key management - PIV_OBJ_PI, // Cardholder printed information - PIV_OBJ_DISCOVERY, // Discovery object - PIV_OBJ_HISTORY, // History object - PIV_OBJ_RETIRED_X509_1, // Retired certificate for KM 1 - PIV_OBJ_RETIRED_X509_2, // Retired certificate for KM 2 - PIV_OBJ_RETIRED_X509_3, // Retired certificate for KM 3 - PIV_OBJ_RETIRED_X509_4, // Retired certificate for KM 4 - PIV_OBJ_RETIRED_X509_5, // Retired certificate for KM 5 - PIV_OBJ_RETIRED_X509_6, // Retired certificate for KM 6 - PIV_OBJ_RETIRED_X509_7, // Retired certificate for KM 7 - PIV_OBJ_RETIRED_X509_8, // Retired certificate for KM 8 - PIV_OBJ_RETIRED_X509_9, // Retired certificate for KM 9 - PIV_OBJ_RETIRED_X509_10, // Retired certificate for KM 10 - PIV_OBJ_RETIRED_X509_11, // Retired certificate for KM 11 - PIV_OBJ_RETIRED_X509_12, // Retired certificate for KM 12 - PIV_OBJ_RETIRED_X509_13, // Retired certificate for KM 13 - PIV_OBJ_RETIRED_X509_14, // Retired certificate for KM 14 - PIV_OBJ_RETIRED_X509_15, // Retired certificate for KM 15 - PIV_OBJ_RETIRED_X509_16, // Retired certificate for KM 16 - PIV_OBJ_RETIRED_X509_17, // Retired certificate for KM 17 - PIV_OBJ_RETIRED_X509_18, // Retired certificate for KM 18 - PIV_OBJ_RETIRED_X509_19, // Retired certificate for KM 19 - PIV_OBJ_RETIRED_X509_20, // Retired certificate for KM 20 - PIV_OBJ_IRIS_IMAGE, // Cardholder iris images - PIV_OBJ_BITGT, // Biometric information templates group template - PIV_OBJ_SM_SIGNER, // Secure messaging signer - PIV_OBJ_PC_REF_DATA, // Pairing code reference data - PIV_OBJ_9B03, // NON-STANDARD TODO: remove? - PIV_OBJ_9A06, // NON-STANDARD - PIV_OBJ_9C06, // NON-STANDARD - PIV_OBJ_9D06, // NON-STANDARD - PIV_OBJ_9E06, // NON-STANDARD - PIV_OBJ_8206, // NON-STANDARD - PIV_OBJ_8306, // NON-STANDARD - PIV_OBJ_8406, // NON-STANDARD - PIV_OBJ_8506, // NON-STANDARD - PIV_OBJ_8606, // NON-STANDARD - PIV_OBJ_8706, // NON-STANDARD - PIV_OBJ_8806, // NON-STANDARD - PIV_OBJ_8906, // NON-STANDARD - PIV_OBJ_8A06, // NON-STANDARD - PIV_OBJ_8B06, // NON-STANDARD - PIV_OBJ_8C06, // NON-STANDARD - PIV_OBJ_8D06, // NON-STANDARD - PIV_OBJ_8E06, // NON-STANDARD - PIV_OBJ_8F06, // NON-STANDARD - PIV_OBJ_9006, // NON-STANDARD - PIV_OBJ_9106, // NON-STANDARD - PIV_OBJ_9206, // NON-STANDARD - PIV_OBJ_9306, // NON-STANDARD - PIV_OBJ_9406, // NON-STANDARD - PIV_OBJ_9506, // NON-STANDARD - PIV_OBJ_LAST_ENUM + PIV_DATA_OBJ_CCC = 0, // Card capability container + PIV_DATA_OBJ_CHUI, // Cardholder unique id + /* PIV_DATA_OBJ_UCHUI is not in new with 800-73-2 */ + PIV_DATA_OBJ_X509_PIV_AUTH, // PIV authentication + PIV_DATA_OBJ_CHF, // Cardholder fingerprints + PIV_DATA_OBJ_SEC_OBJ, // Security object + PIV_DATA_OBJ_CHFI, // Cardholder facial images + PIV_DATA_OBJ_X509_CARD_AUTH, // Certificate for card authentication + PIV_DATA_OBJ_X509_DS, // Certificate for digital signature + PIV_DATA_OBJ_X509_KM, // Certificate for key management + PIV_DATA_OBJ_PI, // Cardholder printed information + PIV_DATA_OBJ_DISCOVERY, // Discovery object + PIV_DATA_OBJ_HISTORY, // History object + PIV_DATA_OBJ_RETIRED_X509_1, // Retired certificate for KM 1 + PIV_DATA_OBJ_RETIRED_X509_2, // Retired certificate for KM 2 + PIV_DATA_OBJ_RETIRED_X509_3, // Retired certificate for KM 3 + PIV_DATA_OBJ_RETIRED_X509_4, // Retired certificate for KM 4 + PIV_DATA_OBJ_RETIRED_X509_5, // Retired certificate for KM 5 + PIV_DATA_OBJ_RETIRED_X509_6, // Retired certificate for KM 6 + PIV_DATA_OBJ_RETIRED_X509_7, // Retired certificate for KM 7 + PIV_DATA_OBJ_RETIRED_X509_8, // Retired certificate for KM 8 + PIV_DATA_OBJ_RETIRED_X509_9, // Retired certificate for KM 9 + PIV_DATA_OBJ_RETIRED_X509_10, // Retired certificate for KM 10 + PIV_DATA_OBJ_RETIRED_X509_11, // Retired certificate for KM 11 + PIV_DATA_OBJ_RETIRED_X509_12, // Retired certificate for KM 12 + PIV_DATA_OBJ_RETIRED_X509_13, // Retired certificate for KM 13 + PIV_DATA_OBJ_RETIRED_X509_14, // Retired certificate for KM 14 + PIV_DATA_OBJ_RETIRED_X509_15, // Retired certificate for KM 15 + PIV_DATA_OBJ_RETIRED_X509_16, // Retired certificate for KM 16 + PIV_DATA_OBJ_RETIRED_X509_17, // Retired certificate for KM 17 + PIV_DATA_OBJ_RETIRED_X509_18, // Retired certificate for KM 18 + PIV_DATA_OBJ_RETIRED_X509_19, // Retired certificate for KM 19 + PIV_DATA_OBJ_RETIRED_X509_20, // Retired certificate for KM 20 + PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images + PIV_DATA_OBJ_BITGT, // Biometric information templates group template + PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer + PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data +/* PIV_DATA_OBJ_9B03, // NON-STANDARD TODO: remove? + PIV_DATA_OBJ_9A06, // NON-STANDARD + PIV_DATA_OBJ_9C06, // NON-STANDARD + PIV_DATA_OBJ_9D06, // NON-STANDARD + PIV_DATA_OBJ_9E06, // NON-STANDARD + PIV_DATA_OBJ_8206, // NON-STANDARD + PIV_DATA_OBJ_8306, // NON-STANDARD + PIV_DATA_OBJ_8406, // NON-STANDARD + PIV_DATA_OBJ_8506, // NON-STANDARD + PIV_DATA_OBJ_8606, // NON-STANDARD + PIV_DATA_OBJ_8706, // NON-STANDARD + PIV_DATA_OBJ_8806, // NON-STANDARD + PIV_DATA_OBJ_8906, // NON-STANDARD + PIV_DATA_OBJ_8A06, // NON-STANDARD + PIV_DATA_OBJ_8B06, // NON-STANDARD + PIV_DATA_OBJ_8C06, // NON-STANDARD + PIV_DATA_OBJ_8D06, // NON-STANDARD + PIV_DATA_OBJ_8E06, // NON-STANDARD + PIV_DATA_OBJ_8F06, // NON-STANDARD + PIV_DATA_OBJ_9006, // NON-STANDARD + PIV_DATA_OBJ_9106, // NON-STANDARD + PIV_DATA_OBJ_9206, // NON-STANDARD + PIV_DATA_OBJ_9306, // NON-STANDARD + PIV_DATA_OBJ_9406, // NON-STANDARD + PIV_DATA_OBJ_9506, // NON-STANDARD*/ + PIV_DATA_OBJ_LAST, + + PIV_CERT_OBJ_X509_PIV_AUTH, // PIV authentication + PIV_CERT_OBJ_X509_CARD_AUTH, // Certificate for card authentication + PIV_CERT_OBJ_X509_DS, // Certificate for digital signature + PIV_CERT_OBJ_X509_KM, // Certificate for key management + PIV_CERT_OBJ_LAST + // TODO: private keys? } piv_obj_id_t; -#define PIV_OBJECT_TYPE_CERT 1 + +/*#define PIV_OBJECT_TYPE_CERT 1 // TODO: redundant now? #define PIV_OBJECT_TYPE_PUBKEY 2 -#define PIV_OBJECT_NOT_PRESENT 4 +#define PIV_OBJECT_NOT_PRESENT 4*/ typedef struct { - //const CK_OBJECT_CLASS class; - piv_obj_id_t type; - const char *name; // TODO: or utf8 - const char *oid; + const char *oid; CK_BYTE tag_len; // TODO: or ulong? - CK_BYTE tag_value[3]; - CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed? - CK_ULONG flags; /* object has some internal object like a cert */ + CK_BYTE tag_value[3]; // TODO: needed? + CK_BYTE containerid[2]; /* will use as relative paths for simulation */ // TODO: needed? +} piv_data_obj_t; + +typedef struct { + CK_BBOOL todo; +} piv_cert_obj_t; + +typedef struct { + piv_obj_id_t type; // TODO: technically redundant + CK_BBOOL token; // TODO: not used yet + CK_BBOOL private; + CK_BBOOL modifiable; + const char *label; + CK_BBOOL copyable; + CK_BBOOL destroyable; +CK_ULONG sub_id; } piv_obj_t; #endif diff --git a/ykcs11/objects.c b/ykcs11/objects.c index 7b32763..5845d53 100644 --- a/ykcs11/objects.c +++ b/ykcs11/objects.c @@ -3,174 +3,196 @@ #include #include -//TODO: this is mostly a snippet from OpenSC how to give credit? +//TODO: this is mostly a snippet from OpenSC how to give credit? Less and less so now /* Must be in order, and one per enumerated PIV_OBJ */ static piv_obj_t objects[] = { - {PIV_OBJ_CCC, "Card Capability Container", - "2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00", 0}, - {PIV_OBJ_CHUI, "Card Holder Unique Identifier", - "2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00", 0}, - {PIV_OBJ_X509_PIV_AUTH, "X.509 Certificate for PIV Authentication", - "2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01", PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_CHF, "Card Holder Fingerprints", - "2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10", 0}, - {PIV_OBJ_SEC_OBJ, "Security Object", - "2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00", 0}, - {PIV_OBJ_CHFI, "Cardholder Facial Images", - "2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30", 0}, - {PIV_OBJ_X509_CARD_AUTH, "X.509 Certificate for Card Authentication", - "2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00", PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_X509_DS, "X.509 Certificate for Digital Signature", - "2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00", PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_X509_KM, "X.509 Certificate for Key Management", - "2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02", PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_PI, "Printed Information", - "2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01", 0}, - {PIV_OBJ_DISCOVERY, "Discovery Object", - "2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50", 0}, - {PIV_OBJ_HISTORY, "Key History Object", - "2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60", 0}, + {PIV_DATA_OBJ_CCC, 0, 0, 0, "Card Capability Container", 0, 0, 0}, + {PIV_DATA_OBJ_CHUI, 0, 0, 0, "Card Holder Unique Identifier", 0, 0, 1}, + // PIV_DATA_OBJ_UCHUI + {PIV_DATA_OBJ_X509_PIV_AUTH, 0, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, 2}, + {PIV_DATA_OBJ_CHF, 0, 0, 0, "Card Holder Fingerprints", 0, 0, 3}, + {PIV_DATA_OBJ_SEC_OBJ, 0, 0, 0, "Security Object", 0, 0, 4}, + {PIV_DATA_OBJ_CHFI, 0, 0, 0, "Cardholder Facial Images", 0, 0, 5}, + {PIV_DATA_OBJ_X509_CARD_AUTH, 0, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, 6}, + {PIV_DATA_OBJ_X509_DS, 0, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, 7}, + {PIV_DATA_OBJ_X509_KM, 0, 0, 0, "X.509 Certificate for Key Management", 0, 0, 8}, + {PIV_DATA_OBJ_PI, 0, 0, 0, "Printed Information", 0, 0, 9}, + {PIV_DATA_OBJ_DISCOVERY, 0, 0, 0, "Discovery Object", 0, 0, 10}, + {PIV_DATA_OBJ_HISTORY, 0, 0, 0, "Key History Object", 0, 0, 11}, + {PIV_DATA_OBJ_RETIRED_X509_1, 0, 0, 0, "Retired X.509 Certificate for Key Management 1", 0, 0, 12}, + {PIV_DATA_OBJ_RETIRED_X509_2, 0, 0, 0, "Retired X.509 Certificate for Key Management 2", 0, 0, 13}, + {PIV_DATA_OBJ_RETIRED_X509_3, 0, 0, 0, "Retired X.509 Certificate for Key Management 3", 0, 0, 14}, + {PIV_DATA_OBJ_RETIRED_X509_4, 0, 0, 0, "Retired X.509 Certificate for Key Management 4", 0, 0, 15}, + {PIV_DATA_OBJ_RETIRED_X509_5, 0, 0, 0, "Retired X.509 Certificate for Key Management 5", 0, 0, 16}, + {PIV_DATA_OBJ_RETIRED_X509_6, 0, 0, 0, "Retired X.509 Certificate for Key Management 6", 0, 0, 17}, + {PIV_DATA_OBJ_RETIRED_X509_7, 0, 0, 0, "Retired X.509 Certificate for Key Management 7", 0, 0, 18}, + {PIV_DATA_OBJ_RETIRED_X509_8, 0, 0, 0, "Retired X.509 Certificate for Key Management 8", 0, 0, 19}, + {PIV_DATA_OBJ_RETIRED_X509_9, 0, 0, 0, "Retired X.509 Certificate for Key Management 9", 0, 0, 20}, + {PIV_DATA_OBJ_RETIRED_X509_10, 0, 0, 0, "Retired X.509 Certificate for Key Management 10", 0, 0, 21}, + {PIV_DATA_OBJ_RETIRED_X509_11, 0, 0, 0, "Retired X.509 Certificate for Key Management 11", 0, 0, 22}, + {PIV_DATA_OBJ_RETIRED_X509_12, 0, 0, 0, "Retired X.509 Certificate for Key Management 12", 0, 0, 23}, + {PIV_DATA_OBJ_RETIRED_X509_13, 0, 0, 0, "Retired X.509 Certificate for Key Management 13", 0, 0, 24}, + {PIV_DATA_OBJ_RETIRED_X509_14, 0, 0, 0, "Retired X.509 Certificate for Key Management 14", 0, 0, 25}, + {PIV_DATA_OBJ_RETIRED_X509_15, 0, 0, 0, "Retired X.509 Certificate for Key Management 15", 0, 0, 26}, + {PIV_DATA_OBJ_RETIRED_X509_16, 0, 0, 0, "Retired X.509 Certificate for Key Management 16", 0, 0, 27}, + {PIV_DATA_OBJ_RETIRED_X509_17, 0, 0, 0, "Retired X.509 Certificate for Key Management 17", 0, 0, 28}, + {PIV_DATA_OBJ_RETIRED_X509_18, 0, 0, 0, "Retired X.509 Certificate for Key Management 18", 0, 0, 29}, + {PIV_DATA_OBJ_RETIRED_X509_19, 0, 0, 0, "Retired X.509 Certificate for Key Management 19", 0, 0, 30}, + {PIV_DATA_OBJ_RETIRED_X509_20, 0, 0, 0, "Retired X.509 Certificate for Key Management 20", 0, 0, 31}, + {PIV_DATA_OBJ_IRIS_IMAGE, 0, 0, 0, "Cardholder Iris Images", 0, 0, 32}, + {PIV_DATA_OBJ_BITGT, 0, 0, 0, "Biometric Information Templates Group Template", 0, 0, 33}, + {PIV_DATA_OBJ_SM_SIGNER, 0, 0, 0, "Secure Messaging Certificate Signer", 0, 0, 34}, + {PIV_DATA_OBJ_PC_REF_DATA, 0, 0, 0, "Pairing Code Reference Data Container", 0, 0, 35}, +/* {PIV_DATA_OBJ_9B03, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9A06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9C06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9D06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9E06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8206, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8306, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8406, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8506, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8606, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8706, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8806, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8906, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8A06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8B06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8C06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8D06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8E06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_8F06, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9006, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9106, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9206, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9306, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9406, 0, 0, 0, "", 0, 0, }, + {PIV_DATA_OBJ_9506, 0, 0, 0, "", 0, 0, },*/ + {PIV_DATA_OBJ_LAST, 0, 0, 0, "", 0, 0, 36}, + {PIV_CERT_OBJ_X509_PIV_AUTH, 0, 0, 0, "X.509 Certificate for PIV Authentication", 0, 0, 0}, + {PIV_CERT_OBJ_X509_CARD_AUTH, 0, 0, 0, "X.509 Certificate for Card Authentication", 0, 0, 1}, + {PIV_CERT_OBJ_X509_DS, 0, 0, 0, "X.509 Certificate for Digital Signature", 0, 0, 2}, + {PIV_CERT_OBJ_X509_KM, 0, 0, 0, "X.509 Certificate for Key Management", 0, 0, 3}, + {PIV_CERT_OBJ_LAST, 0, 0, 0, "", 0, 41} +}; + +static piv_data_obj_t data_objects[] = { + {"2.16.840.1.101.3.7.1.219.0", 3, "\x5F\xC1\x07", "\xDB\x00"}, + {"2.16.840.1.101.3.7.2.48.0", 3, "\x5F\xC1\x02", "\x30\x00"}, + {"2.16.840.1.101.3.7.2.1.1", 3, "\x5F\xC1\x05", "\x01\x01"}, + {"2.16.840.1.101.3.7.2.96.16", 3, "\x5F\xC1\x03", "\x60\x10"}, + {"2.16.840.1.101.3.7.2.144.0", 3, "\x5F\xC1\x06", "\x90\x00"}, + {"2.16.840.1.101.3.7.2.96.48", 3, "\x5F\xC1\x08", "\x60\x30"}, + {"2.16.840.1.101.3.7.2.5.0", 3, "\x5F\xC1\x01", "\x05\x00"}, + {"2.16.840.1.101.3.7.2.1.0", 3, "\x5F\xC1\x0A", "\x01\x00"}, + {"2.16.840.1.101.3.7.2.1.2", 3, "\x5F\xC1\x0B", "\x01\x02"}, + {"2.16.840.1.101.3.7.2.48.1", 3, "\x5F\xC1\x09", "\x30\x01"}, + {"2.16.840.1.101.3.7.2.96.80", 1, "\x7E", "\x60\x50"}, + {"2.16.840.1.101.3.7.2.96.96", 3, "\x5F\xC1\x0C", "\x60\x60"}, /* 800-73-3, 21 new objects, 20 history certificates */ - {PIV_OBJ_RETIRED_X509_1, "Retired X.509 Certificate for Key Management 1", - "2.16.840.1.101.3.7.2.16.1", 3, "\x5F\xC1\x0D", "\x10\x01", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_2, "Retired X.509 Certificate for Key Management 2", - "2.16.840.1.101.3.7.2.16.2", 3, "\x5F\xC1\x0E", "\x10\x02", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_3, "Retired X.509 Certificate for Key Management 3", - "2.16.840.1.101.3.7.2.16.3", 3, "\x5F\xC1\x0F", "\x10\x03", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_4, "Retired X.509 Certificate for Key Management 4", - "2.16.840.1.101.3.7.2.16.4", 3, "\x5F\xC1\x10", "\x10\x04", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_5, "Retired X.509 Certificate for Key Management 5", - "2.16.840.1.101.3.7.2.16.5", 3, "\x5F\xC1\x11", "\x10\x05", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_6, "Retired X.509 Certificate for Key Management 6", - "2.16.840.1.101.3.7.2.16.6", 3, "\x5F\xC1\x12", "\x10\x06", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_7, "Retired X.509 Certificate for Key Management 7", - "2.16.840.1.101.3.7.2.16.7", 3, "\x5F\xC1\x13", "\x10\x07", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_8, "Retired X.509 Certificate for Key Management 8", - "2.16.840.1.101.3.7.2.16.8", 3, "\x5F\xC1\x14", "\x10\x08", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_9, "Retired X.509 Certificate for Key Management 9", - "2.16.840.1.101.3.7.2.16.9", 3, "\x5F\xC1\x15", "\x10\x09", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_10, "Retired X.509 Certificate for Key Management 10", - "2.16.840.1.101.3.7.2.16.10", 3, "\x5F\xC1\x16", "\x10\x0A", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_11, "Retired X.509 Certificate for Key Management 11", - "2.16.840.1.101.3.7.2.16.11", 3, "\x5F\xC1\x17", "\x10\x0B", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_12, "Retired X.509 Certificate for Key Management 12", - "2.16.840.1.101.3.7.2.16.12", 3, "\x5F\xC1\x18", "\x10\x0C", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_13, "Retired X.509 Certificate for Key Management 13", - "2.16.840.1.101.3.7.2.16.13", 3, "\x5F\xC1\x19", "\x10\x0D", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_14, "Retired X.509 Certificate for Key Management 14", - "2.16.840.1.101.3.7.2.16.14", 3, "\x5F\xC1\x1A", "\x10\x0E", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_15, "Retired X.509 Certificate for Key Management 15", - "2.16.840.1.101.3.7.2.16.15", 3, "\x5F\xC1\x1B", "\x10\x0F", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_16, "Retired X.509 Certificate for Key Management 16", - "2.16.840.1.101.3.7.2.16.16", 3, "\x5F\xC1\x1C", "\x10\x10", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_17, "Retired X.509 Certificate for Key Management 17", - "2.16.840.1.101.3.7.2.16.17", 3, "\x5F\xC1\x1D", "\x10\x11", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_18, "Retired X.509 Certificate for Key Management 18", - "2.16.840.1.101.3.7.2.16.18", 3, "\x5F\xC1\x1E", "\x10\x12", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_19, "Retired X.509 Certificate for Key Management 19", - "2.16.840.1.101.3.7.2.16.19", 3, "\x5F\xC1\x1F", "\x10\x13", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - {PIV_OBJ_RETIRED_X509_20, "Retired X.509 Certificate for Key Management 20", - "2.16.840.1.101.3.7.2.16.20", 3, "\x5F\xC1\x20", "\x10\x14", - PIV_OBJECT_NOT_PRESENT|PIV_OBJECT_TYPE_CERT}, - - {PIV_OBJ_IRIS_IMAGE, "Cardholder Iris Images", - "2.16.840.1.101.3.7.2.16.21", 3, "\x5F\xC1\x21", "\x10\x15", 0}, - {PIV_OBJ_BITGT, "Biometric Information Templates Group Template", - "2.16.840.1.101.3.7.2.16.22", 2, "\x7F\x61", "\x10\x16", 0}, - {PIV_OBJ_SM_SIGNER, "Secure Messaging Certificate Signer", - "2.16.840.1.101.3.7.2.16.23", 3, "\x5F\xC1\x22", "\x10\x17", 0}, - {PIV_OBJ_PC_REF_DATA, "Pairing Code Reference Data Container", - "2.16.840.1.101.3.7.2.16.24", 3, "\x5F\xC1\x23", "\x10\x18", 0}, + {"2.16.840.1.101.3.7.2.16.1", 3, "\x5F\xC1\x0D", "\x10\x01"}, + {"2.16.840.1.101.3.7.2.16.2", 3, "\x5F\xC1\x0E", "\x10\x02"}, + {"2.16.840.1.101.3.7.2.16.3", 3, "\x5F\xC1\x0F", "\x10\x03"}, + {"2.16.840.1.101.3.7.2.16.4", 3, "\x5F\xC1\x10", "\x10\x04"}, + {"2.16.840.1.101.3.7.2.16.5", 3, "\x5F\xC1\x11", "\x10\x05"}, + {"2.16.840.1.101.3.7.2.16.7", 3, "\x5F\xC1\x13", "\x10\x07"}, + {"2.16.840.1.101.3.7.2.16.8", 3, "\x5F\xC1\x14", "\x10\x08"}, + {"2.16.840.1.101.3.7.2.16.9", 3, "\x5F\xC1\x15", "\x10\x09"}, + {"2.16.840.1.101.3.7.2.16.10", 3, "\x5F\xC1\x16", "\x10\x0A"}, + {"2.16.840.1.101.3.7.2.16.11", 3, "\x5F\xC1\x17", "\x10\x0B"}, + {"2.16.840.1.101.3.7.2.16.12", 3, "\x5F\xC1\x18", "\x10\x0C"}, + {"2.16.840.1.101.3.7.2.16.13", 3, "\x5F\xC1\x19", "\x10\x0D"}, + {"2.16.840.1.101.3.7.2.16.14", 3, "\x5F\xC1\x1A", "\x10\x0E"}, + {"2.16.840.1.101.3.7.2.16.15", 3, "\x5F\xC1\x1B", "\x10\x0F"}, + {"2.16.840.1.101.3.7.2.16.16", 3, "\x5F\xC1\x1C", "\x10\x10"}, + {"2.16.840.1.101.3.7.2.16.17", 3, "\x5F\xC1\x1D", "\x10\x11"}, + {"2.16.840.1.101.3.7.2.16.18", 3, "\x5F\xC1\x1E", "\x10\x12"}, + {"2.16.840.1.101.3.7.2.16.19", 3, "\x5F\xC1\x1F", "\x10\x13"}, + {"2.16.840.1.101.3.7.2.16.20", 3, "\x5F\xC1\x20", "\x10\x14"}, + {"2.16.840.1.101.3.7.2.16.21", 3, "\x5F\xC1\x21", "\x10\x15"}, + {"2.16.840.1.101.3.7.2.16.22", 2, "\x7F\x61", "\x10\x16"}, + {"2.16.840.1.101.3.7.2.16.23", 3, "\x5F\xC1\x22", "\x10\x17"}, + {"2.16.840.1.101.3.7.2.16.24", 3, "\x5F\xC1\x23", "\x10\x18"}, /* following not standard , to be used by piv-tool only for testing */ - {PIV_OBJ_9B03, "3DES-ECB ADM", - "2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0}, +/* {PIV_DATA_OBJ_9B03, "3DES-ECB ADM", + "2.16.840.1.101.3.7.2.9999.3", 2, "\x9B\x03", "\x9B\x03", 0},*/ /* Only used when signing a cert req, usually from engine * after piv-tool generated the key and saved the pub key * to a file. Note RSA key can be 1024, 2048 or 3072 * but still use the "9x06" name. */ - {PIV_OBJ_9A06, "RSA 9A Pub key from last genkey", +/* {PIV_DATA_OBJ_9A06, "RSA 9A Pub key from last genkey", "2.16.840.1.101.3.7.2.9999.20", 2, "\x9A\x06", "\x9A\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9C06, "Pub 9C key from last genkey", + {PIV_DATA_OBJ_9C06, "Pub 9C key from last genkey", "2.16.840.1.101.3.7.2.9999.21", 2, "\x9C\x06", "\x9C\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9D06, "Pub 9D key from last genkey", + {PIV_DATA_OBJ_9D06, "Pub 9D key from last genkey", "2.16.840.1.101.3.7.2.9999.22", 2, "\x9D\x06", "\x9D\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9E06, "Pub 9E key from last genkey", + {PIV_DATA_OBJ_9E06, "Pub 9E key from last genkey", "2.16.840.1.101.3.7.2.9999.23", 2, "\x9E\x06", "\x9E\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8206, "Pub 82 key ", + {PIV_DATA_OBJ_8206, "Pub 82 key ", "2.16.840.1.101.3.7.2.9999.101", 2, "\x82\x06", "\x82\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8306, "Pub 83 key ", + {PIV_DATA_OBJ_8306, "Pub 83 key ", "2.16.840.1.101.3.7.2.9999.102", 2, "\x83\x06", "\x83\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8406, "Pub 84 key ", + {PIV_DATA_OBJ_8406, "Pub 84 key ", "2.16.840.1.101.3.7.2.9999.103", 2, "\x84\x06", "\x84\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8506, "Pub 85 key ", + {PIV_DATA_OBJ_8506, "Pub 85 key ", "2.16.840.1.101.3.7.2.9999.104", 2, "\x85\x06", "\x85\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8606, "Pub 86 key ", + {PIV_DATA_OBJ_8606, "Pub 86 key ", "2.16.840.1.101.3.7.2.9999.105", 2, "\x86\x06", "\x86\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8706, "Pub 87 key ", + {PIV_DATA_OBJ_8706, "Pub 87 key ", "2.16.840.1.101.3.7.2.9999.106", 2, "\x87\x06", "\x87\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8806, "Pub 88 key ", + {PIV_DATA_OBJ_8806, "Pub 88 key ", "2.16.840.1.101.3.7.2.9999.107", 2, "\x88\x06", "\x88\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8906, "Pub 89 key ", + {PIV_DATA_OBJ_8906, "Pub 89 key ", "2.16.840.1.101.3.7.2.9999.108", 2, "\x89\x06", "\x89\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8A06, "Pub 8A key ", + {PIV_DATA_OBJ_8A06, "Pub 8A key ", "2.16.840.1.101.3.7.2.9999.109", 2, "\x8A\x06", "\x8A\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8B06, "Pub 8B key ", + {PIV_DATA_OBJ_8B06, "Pub 8B key ", "2.16.840.1.101.3.7.2.9999.110", 2, "\x8B\x06", "\x8B\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8C06, "Pub 8C key ", + {PIV_DATA_OBJ_8C06, "Pub 8C key ", "2.16.840.1.101.3.7.2.9999.111", 2, "\x8C\x06", "\x8C\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8D06, "Pub 8D key ", + {PIV_DATA_OBJ_8D06, "Pub 8D key ", "2.16.840.1.101.3.7.2.9999.112", 2, "\x8D\x06", "\x8D\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8E06, "Pub 8E key ", + {PIV_DATA_OBJ_8E06, "Pub 8E key ", "2.16.840.1.101.3.7.2.9999.113", 2, "\x8E\x06", "\x8E\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_8F06, "Pub 8F key ", + {PIV_DATA_OBJ_8F06, "Pub 8F key ", "2.16.840.1.101.3.7.2.9999.114", 2, "\x8F\x06", "\x8F\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9006, "Pub 90 key ", + {PIV_DATA_OBJ_9006, "Pub 90 key ", "2.16.840.1.101.3.7.2.9999.115", 2, "\x90\x06", "\x90\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9106, "Pub 91 key ", + {PIV_DATA_OBJ_9106, "Pub 91 key ", "2.16.840.1.101.3.7.2.9999.116", 2, "\x91\x06", "\x91\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9206, "Pub 92 key ", + {PIV_DATA_OBJ_9206, "Pub 92 key ", "2.16.840.1.101.3.7.2.9999.117", 2, "\x92\x06", "\x92\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9306, "Pub 93 key ", + {PIV_DATA_OBJ_9306, "Pub 93 key ", "2.16.840.1.101.3.7.2.9999.118", 2, "\x93\x06", "\x93\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9406, "Pub 94 key ", + {PIV_DATA_OBJ_9406, "Pub 94 key ", "2.16.840.1.101.3.7.2.9999.119", 2, "\x94\x06", "\x94\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_9506, "Pub 95 key ", - "2.16.840.1.101.3.7.2.9999.120", 2, "\x95\x06", "\x95\x06", PIV_OBJECT_TYPE_PUBKEY}, - {PIV_OBJ_LAST_ENUM, "", "", 0, "", "", 0} + {PIV_DATA_OBJ_9506, "Pub 95 key ", + "2.16.840.1.101.3.7.2.9999.120", 2, "\x95\x06", "\x95\x06", PIV_OBJECT_TYPE_PUBKEY},*/ + {"", 0, "", ""} }; -static const CK_ULONG n_objects = sizeof(objects) / sizeof(piv_obj_t); +static piv_cert_obj_t cert_objects[] = { + {0}, + {0}, + {0}, + {0}, + {0} +}; + + +//static const CK_ULONG n_objects = sizeof(objects) / sizeof(piv_obj_t); static void get_object_class(CK_OBJECT_HANDLE obj, CK_OBJECT_CLASS_PTR class) { - if ((objects[obj].flags & PIV_OBJECT_TYPE_PUBKEY)) - *class = CKO_PUBLIC_KEY; - else if ((objects[obj].flags & PIV_OBJECT_TYPE_CERT)) + if (obj >= 0 && obj < PIV_DATA_OBJ_LAST) + *class = CKO_DATA; + else if (obj > PIV_DATA_OBJ_LAST && obj < PIV_CERT_OBJ_LAST) *class = CKO_CERTIFICATE; else - *class = CKO_DATA; // TODO: other possibilities? + *class = CKO_VENDOR_DEFINED | CKO_DATA; // Invalid value } /*static void get_object_label(CK_OBJECT_HANDLE obj, CK_UTF8CHAR_PTR label) { @@ -180,7 +202,7 @@ static void get_object_class(CK_OBJECT_HANDLE obj, CK_OBJECT_CLASS_PTR class) { // Next two functions based off the code at // https://github.com/m9aertner/oidConverter/blob/master/oid.c -// TODO: how to give credit? +// TODO: how to give credit? OR JUST STORE THE OID ALREADY ENCODED? static void make_base128(unsigned long l, int first, CK_BYTE_PTR buf, CK_ULONG_PTR n) { if (l > 127) make_base128(l / 128, 0, buf, n); @@ -286,20 +308,21 @@ CK_RV get_attribute(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { case CKA_LABEL: fprintf(stderr, "LABEL\n"); - len = strlen(objects[obj].name) + 1; - data = objects[obj].name; + len = strlen(objects[obj].label) + 1; + data = objects[obj].label; break; case CKA_APPLICATION: fprintf(stderr, "APPLICATION\n"); - len = strlen(objects[obj].name) + 1; - data = objects[obj].name; + len = strlen(objects[obj].label) + 1; + data = objects[obj].label; break; -// case CKA_VALUE: +// case CKA_VALUE: // TODO: this can be done with -r and -d|-a case CKA_OBJECT_ID: // TODO: how about just storing the OID in DER ? + // This only makes sense for data objects fprintf(stderr, "OID\n"); - strcpy((char *)tmp, objects[obj].oid); + strcpy((char *)tmp, data_objects[objects[obj].sub_id].oid); asn1_encode_oid(tmp, tmp, &len); data = tmp; break; @@ -319,9 +342,10 @@ CK_RV get_attribute(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { /* case CKA_SUBJECT: */ case CKA_ID: - fprintf(stderr, "KEY ID\n"); - len = 2; - data = objects[obj].containerid; + // This only makes sense for data objects + fprintf(stderr, "ID\n"); + len = data_objects[objects[obj].sub_id].tag_len; + data = data_objects[objects[obj].sub_id].tag_value; break; /* case CKA_SENSITIVE: */ @@ -372,7 +396,7 @@ CK_RV get_attribute(CK_OBJECT_HANDLE obj, CK_ATTRIBUTE_PTR template) { template->ulValueLen = len; // TODO: define? return CKR_OK; } - + if (template->ulValueLen < len) return CKR_BUFFER_TOO_SMALL; diff --git a/ykcs11/vendors.c b/ykcs11/vendors.c index b4fd55d..2b75387 100644 --- a/ykcs11/vendors.c +++ b/ykcs11/vendors.c @@ -29,7 +29,7 @@ vendor_t get_vendor(vendor_id_t vid) { v.get_token_mechanisms_num = YUBICO_get_token_mechanisms_num; v.get_token_mechanism_list = YUBICO_get_token_mechanism_list; v.get_token_mechanism_info = YUBICO_get_token_mechanism_info; - v.get_token_objects_num = YUBICO_get_token_objects_num; +// v.get_token_objects_num = YUBICO_get_token_objects_num; v.get_token_object_list = YUBICO_get_token_object_list; break; @@ -48,7 +48,7 @@ vendor_t get_vendor(vendor_id_t vid) { v.get_token_mechanisms_num = NULL; v.get_token_mechanism_list = NULL; v.get_token_mechanism_info = NULL; - v.get_token_objects_num = NULL; +// v.get_token_objects_num = NULL; v.get_token_object_list = NULL; } diff --git a/ykcs11/vendors.h b/ykcs11/vendors.h index 73e00ac..6b0d2f0 100644 --- a/ykcs11/vendors.h +++ b/ykcs11/vendors.h @@ -3,6 +3,7 @@ #include "pkcs11.h" #include "objects.h" +#include typedef enum { UNKNOWN = 0x00, @@ -22,8 +23,8 @@ typedef CK_RV (*get_t_serial_f)(CK_CHAR_PTR, CK_ULONG); typedef CK_RV (*get_t_mechanisms_num_f)(CK_ULONG_PTR); typedef CK_RV (*get_t_mechanism_list_f)(CK_MECHANISM_TYPE_PTR, CK_ULONG); typedef CK_RV (*get_t_mechanism_info_f)(CK_MECHANISM_TYPE, CK_MECHANISM_INFO_PTR); -typedef CK_RV (*get_t_objects_num_f)(CK_ULONG_PTR); -typedef CK_RV (*get_t_object_list_f)(piv_obj_id_t *, CK_ULONG); +//typedef CK_RV (*get_t_objects_num_f)(CK_ULONG_PTR); +typedef CK_RV (*get_t_object_list_f)(ykpiv_state *, piv_obj_id_t *, CK_ULONG_PTR); typedef struct { @@ -40,7 +41,7 @@ typedef struct { get_t_mechanisms_num_f get_token_mechanisms_num; get_t_mechanism_list_f get_token_mechanism_list; get_t_mechanism_info_f get_token_mechanism_info; - get_t_objects_num_f get_token_objects_num; +// get_t_objects_num_f get_token_objects_num; get_t_object_list_f get_token_object_list; } vendor_t; diff --git a/ykcs11/ykcs11.c b/ykcs11/ykcs11.c index 6541352..61d3e93 100644 --- a/ykcs11/ykcs11.c +++ b/ykcs11/ykcs11.c @@ -7,7 +7,7 @@ #define D(x) do { \ printf ("debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \ - printf x; \ + printf x;; \ printf ("\n"); \ } while (0) @@ -40,7 +40,7 @@ static ykpiv_state *piv_state = NULL; -static ykcs11_slot_t slots[YKCS11_MAX_SLOTS]; +static ykcs11_slot_t slots[YKCS11_MAX_SLOTS]; // TODO: build at runtime? static CK_ULONG n_slots = 0; static CK_ULONG n_slots_with_token = 0; @@ -51,21 +51,11 @@ static struct { CK_BBOOL active; CK_ULONG num; CK_ULONG idx; - CK_BBOOL all; - CK_OBJECT_CLASS class; + piv_obj_id_t *objects; } find_obj; -static piv_obj_id_t piv_objects[] = { // Mandatory PIV objects - PIV_OBJ_CCC, // Card capability container - PIV_OBJ_CHUI, // Cardholder unique id - PIV_OBJ_X509_PIV_AUTH, // PIV authentication - PIV_OBJ_CHF, // Cardholder fingerprints - PIV_OBJ_CHFI, // Cardholder facial images - PIV_OBJ_X509_DS, // Certificate for digital signature - PIV_OBJ_X509_KM, // Certificate for key management - PIV_OBJ_X509_CARD_AUTH, // Certificate for card authentication - PIV_OBJ_SEC_OBJ // Security object -}; +static piv_obj_id_t token_objects[PIV_CERT_OBJ_LAST]; // TODO: tide this up, also build at runtime (during open session)? +static CK_ULONG n_token_objects = 0; extern CK_FUNCTION_LIST function_list; // TODO: check all return values @@ -200,7 +190,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetSlotList)( for (j = 0, i = 0; i < n_slots; i++) { if (tokenPresent) { - if (has_token(slots + i)) + if (has_token(slots + i)) // TODO: use more to check if TOKEN_REMOVED pSlotList[j++] = i; } else @@ -229,8 +219,6 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetSlotInfo)( memcpy(pInfo, &slots[slotID].info, sizeof(CK_SLOT_INFO)); - //DBG(("slotID %lu, pInfo %s", slotID, pInfo->slotDescription)); - DOUT; return CKR_OK; } @@ -465,18 +453,34 @@ CK_DEFINE_FUNCTION(CK_RV, C_OpenSession)( { DIN; + vendor_t vendor; + if (piv_state == NULL) return CKR_CRYPTOKI_NOT_INITIALIZED; if (slotID >= n_slots || phSession == NULL) return CKR_ARGUMENTS_BAD; + if (slots[slotID].vid == UNKNOWN) { + DBG(("No support for token in slot %lu", slotID)); + return CKR_TOKEN_NOT_RECOGNIZED; + } + if (!has_token(slots + slotID)) { DBG(("Slot %lu has no token inserted", slotID)); return CKR_TOKEN_NOT_PRESENT; } - if ((flags & CKF_SERIAL_SESSION) == 0) { + vendor = get_vendor(slots[slotID].vid); // TODO: make a token field in slot_t ? + + // Store all the objects available in the token + n_token_objects = sizeof(token_objects) / sizeof(piv_obj_id_t); + if (vendor.get_token_object_list(piv_state, token_objects, &n_token_objects) != CKR_OK) { + DBG(("Unable to retrieve token objects")); + return CKR_FUNCTION_FAILED; + } + + if ((flags & CKF_SERIAL_SESSION) == 0) { // TODO: check more error conditions DBG(("Open session called without CKF_SERIAL_SESSION set")); return CKR_SESSION_PARALLEL_NOT_SUPPORTED; } @@ -755,7 +759,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_GetAttributeValue)( DOUT; return CKR_OK; } - DBG(("Trying to get object %lx", hObject)); + DBG(("Trying to get %lu attributes for object %lx", ulCount, hObject)); DBG(("Type: 0x%lx Value: %lu Len: %lu", pTemplate[0].type, *((CK_ULONG_PTR)pTemplate[0].pValue), pTemplate[0].ulValueLen)); // TODO: here for i in ulCount return get_attribute(hObject, pTemplate); @@ -808,14 +812,14 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( if (ulCount == 0) { DBG(("Find ALL the objects!")); find_obj.active = CK_TRUE; - vendor.get_token_objects_num(&find_obj.num); + find_obj.num = n_token_objects; find_obj.idx = 0; - find_obj.all = CK_TRUE; + find_obj.objects = token_objects; DOUT; return CKR_OK; } - return CKR_FUNCTION_FAILED; - DBG(("Initialized search for %lu objects", ulCount)); +// return CKR_FUNCTION_FAILED; + DBG(("Initialized search with %lu parameters", ulCount)); if (pTemplate == NULL_PTR) return CKR_ARGUMENTS_BAD; @@ -823,10 +827,7 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjectsInit)( find_obj.active = CK_TRUE; for (i = 0; i < ulCount; i++) { - DBG(("Object %lu\nType: %lu Value: %lu Len: %lu", i, pTemplate[i].type, *((CK_ULONG_PTR)pTemplate[i].pValue), pTemplate[i].ulValueLen)); - - // if () - + DBG(("Parameter %lu\nType: %lu Value: %lu Len: %lu", i, pTemplate[i].type, *((CK_ULONG_PTR)pTemplate[i].pValue), pTemplate[i].ulValueLen)); } @@ -861,19 +862,22 @@ CK_DEFINE_FUNCTION(CK_RV, C_FindObjects)( return CKR_OPERATION_NOT_INITIALIZED; DBG(("Can return %lu object(s)", ulMaxObjectCount)); - if (find_obj.all == CK_TRUE) { - // Trying to get all the objects, just return the next one - if (find_obj.idx == find_obj.num) { - *pulObjectCount = 0; - DOUT; - return CKR_OK; - } - *phObject = piv_objects[find_obj.idx++]; - *pulObjectCount = 1; + // Return the next object + if (find_obj.idx == find_obj.num) { + *pulObjectCount = 0; + DOUT; + return CKR_OK; } + *phObject = find_obj.objects[find_obj.idx++]; + *pulObjectCount = 1; + return CKR_OK; + // NEVER REACHED + DBG(("GETTING SOMETHING ELSE")); + *phObject = PIV_DATA_OBJ_X509_DS; + *pulObjectCount = 2; DOUT; return CKR_OK; } @@ -1073,11 +1077,35 @@ CK_DEFINE_FUNCTION(CK_RV, C_SignInit)( ) { DIN; - DBG(("TODO!!!")); + + if (piv_state == NULL) + return CKR_CRYPTOKI_NOT_INITIALIZED; + + if (session != YKCS11_SESSION_ID) + return CKR_SESSION_CLOSED; + + if (hSession != session) + return CKR_SESSION_HANDLE_INVALID; + + if (pMechanism == NULL_PTR || + hKey == NULL_PTR) + return CKR_ARGUMENTS_BAD; + + DBG(("Trying to sign some data with mechanism %lu and key %lu", pMechanism->mechanism, hKey)); DOUT; return CKR_OK; } - +/* TOTOD: DELETE */ +CK_BYTE sig_buf[1024]; +CK_ULONG sig_len = 1024; +void dump_hex(const unsigned char *buf, unsigned int len, FILE *output, CK_BBOOL space) { + unsigned int i; + for (i = 0; i < len; i++) { + fprintf(output, "%02x%s", buf[i], space == CK_TRUE ? " " : ""); + } + fprintf(output, "\n"); +} +/* TODO: DELETE END*/ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, @@ -1087,7 +1115,21 @@ CK_DEFINE_FUNCTION(CK_RV, C_Sign)( ) { DIN; - DBG(("TODO!!!")); + // TODO: check conditions + char test_buf[] = "\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20\xa7\x47\x16\x1b\x15\x5f\xd0\x05\xbc\xbe\x84\x4a\x28\xa9\x6c\x74\xfe\xf6\x6a\x42\x84\xa0\x4e\x05\x7a\x0c\x88\xe2\xc8\x83\xc0\x00"; + CK_ULONG sig_len_in = sizeof(test_buf) - 1; + CK_ULONG sig_len_out = 1024; + ykpiv_rc r; + DBG(("Sending %lu bytes to sign", /*ulDataLen*/sig_len_in)); + dump_hex(test_buf, sig_len_in, stderr, CK_TRUE); + if ((r = ykpiv_sign_data(piv_state, /*pData*/test_buf, /*ulDataLen*/sig_len_in, sig_buf, &sig_len_out, YKPIV_ALGO_RSA2048, YKPIV_KEY_AUTHENTICATION)) != YKPIV_OK) { + DBG(("Sign error %s", ykpiv_strerror(r))); + return CKR_FUNCTION_FAILED; + } + DBG(("Got %lu bytes back", sig_len_out)); + dump_hex(sig_buf, sig_len_out, stderr, CK_TRUE); + memcpy(pSignature, sig_buf, sig_len_out); + *pulSignatureLen = sig_len_out; DOUT; return CKR_OK; } diff --git a/ykcs11/yubico.c b/ykcs11/yubico.c index f3c25f5..be80b60 100644 --- a/ykcs11/yubico.c +++ b/ykcs11/yubico.c @@ -68,42 +68,42 @@ static const CK_MECHANISM_INFO token_mechanism_infos[] = { // KEEP ALIGNED WITH }; static const piv_obj_id_t token_objects[] = { // TODO: is there a way to get this from the token? - PIV_OBJ_CCC, // Card capability container - PIV_OBJ_CHUI, // Cardholder unique id - PIV_OBJ_X509_PIV_AUTH, // PIV authentication - PIV_OBJ_CHF, // Cardholder fingerprints - PIV_OBJ_SEC_OBJ, // Security object - PIV_OBJ_CHFI, // Cardholder facial images - PIV_OBJ_X509_CARD_AUTH, // Certificate for card authentication - PIV_OBJ_X509_DS, // Certificate for digital signature - PIV_OBJ_X509_KM, // Certificate for key management - //PIV_OBJ_PI, // Cardholder printed information - //PIV_OBJ_DISCOVERY, // Discovery object - //PIV_OBJ_HISTORY, // History object -/* PIV_OBJ_RETIRED_X509_1, // Retired certificate for KM 1 - PIV_OBJ_RETIRED_X509_2, // Retired certificate for KM 2 - PIV_OBJ_RETIRED_X509_3, // Retired certificate for KM 3 - PIV_OBJ_RETIRED_X509_4, // Retired certificate for KM 4 - PIV_OBJ_RETIRED_X509_5, // Retired certificate for KM 5 - PIV_OBJ_RETIRED_X509_6, // Retired certificate for KM 6 - PIV_OBJ_RETIRED_X509_7, // Retired certificate for KM 7 - PIV_OBJ_RETIRED_X509_8, // Retired certificate for KM 8 - PIV_OBJ_RETIRED_X509_9, // Retired certificate for KM 9 - PIV_OBJ_RETIRED_X509_10, // Retired certificate for KM 10 - PIV_OBJ_RETIRED_X509_11, // Retired certificate for KM 11 - PIV_OBJ_RETIRED_X509_12, // Retired certificate for KM 12 - PIV_OBJ_RETIRED_X509_13, // Retired certificate for KM 13 - PIV_OBJ_RETIRED_X509_14, // Retired certificate for KM 14 - PIV_OBJ_RETIRED_X509_15, // Retired certificate for KM 15 - PIV_OBJ_RETIRED_X509_16, // Retired certificate for KM 16 - PIV_OBJ_RETIRED_X509_17, // Retired certificate for KM 17 - PIV_OBJ_RETIRED_X509_18, // Retired certificate for KM 18 - PIV_OBJ_RETIRED_X509_19, // Retired certificate for KM 19 - PIV_OBJ_RETIRED_X509_20, // Retired certificate for KM 20*/ - //PIV_OBJ_IRIS_IMAGE, // Cardholder iris images - //PIV_OBJ_BITGT, // Biometric information templates group template - //PIV_OBJ_SM_SIGNER, // Secure messaging signer - //PIV_OBJ_PC_REF_DATA, // Pairing code reference data + PIV_DATA_OBJ_CCC, // Card capability container + PIV_DATA_OBJ_CHUI, // Cardholder unique id + PIV_DATA_OBJ_X509_PIV_AUTH, // PIV authentication + PIV_DATA_OBJ_CHF, // Cardholder fingerprints + PIV_DATA_OBJ_SEC_OBJ, // Security object + PIV_DATA_OBJ_CHFI, // Cardholder facial images + PIV_DATA_OBJ_X509_CARD_AUTH, // Certificate for card authentication + PIV_DATA_OBJ_X509_DS, // Certificate for digital signature + PIV_DATA_OBJ_X509_KM, // Certificate for key management + //PIV_DATA_OBJ_PI, // Cardholder printed information + //PIV_DATA_OBJ_DISCOVERY, // Discovery object + //PIV_DATA_OBJ_HISTORY, // History object +/* PIV_DATA_OBJ_RETIRED_X509_1, // Retired certificate for KM 1 + PIV_DATA_OBJ_RETIRED_X509_2, // Retired certificate for KM 2 + PIV_DATA_OBJ_RETIRED_X509_3, // Retired certificate for KM 3 + PIV_DATA_OBJ_RETIRED_X509_4, // Retired certificate for KM 4 + PIV_DATA_OBJ_RETIRED_X509_5, // Retired certificate for KM 5 + PIV_DATA_OBJ_RETIRED_X509_6, // Retired certificate for KM 6 + PIV_DATA_OBJ_RETIRED_X509_7, // Retired certificate for KM 7 + PIV_DATA_OBJ_RETIRED_X509_8, // Retired certificate for KM 8 + PIV_DATA_OBJ_RETIRED_X509_9, // Retired certificate for KM 9 + PIV_DATA_OBJ_RETIRED_X509_10, // Retired certificate for KM 10 + PIV_DATA_OBJ_RETIRED_X509_11, // Retired certificate for KM 11 + PIV_DATA_OBJ_RETIRED_X509_12, // Retired certificate for KM 12 + PIV_DATA_OBJ_RETIRED_X509_13, // Retired certificate for KM 13 + PIV_DATA_OBJ_RETIRED_X509_14, // Retired certificate for KM 14 + PIV_DATA_OBJ_RETIRED_X509_15, // Retired certificate for KM 15 + PIV_DATA_OBJ_RETIRED_X509_16, // Retired certificate for KM 16 + PIV_DATA_OBJ_RETIRED_X509_17, // Retired certificate for KM 17 + PIV_DATA_OBJ_RETIRED_X509_18, // Retired certificate for KM 18 + PIV_DATA_OBJ_RETIRED_X509_19, // Retired certificate for KM 19 + PIV_DATA_OBJ_RETIRED_X509_20, // Retired certificate for KM 20*/ + //PIV_DATA_OBJ_IRIS_IMAGE, // Cardholder iris images + //PIV_DATA_OBJ_BITGT, // Biometric information templates group template + //PIV_DATA_OBJ_SM_SIGNER, // Secure messaging signer + //PIV_DATA_OBJ_PC_REF_DATA, // Pairing code reference data }; static const CK_ULONG token_objects_num = sizeof(token_objects) / sizeof(piv_obj_id_t); @@ -252,13 +252,61 @@ CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_P } -CK_RV YUBICO_get_token_objects_num(CK_ULONG_PTR num) { +/*CK_RV YUBICO_get_token_objects_num(CK_ULONG_PTR num) { *num = token_objects_num; - //fprintf("TIENI %lu\n", token_objects_num); + return CKR_OK; + }*/ +#include +CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t *obj, CK_ULONG_PTR len) { + CK_BYTE buf[2048]; + CK_ULONG buf_len; + + piv_obj_id_t certs[4]; + CK_ULONG n_cert = 0; + + if (state == NULL || obj == NULL || len == NULL_PTR) + return CKR_ARGUMENTS_BAD; + + buf_len = sizeof(buf); + if (ykpiv_fetch_object(state, YKPIV_OBJ_AUTHENTICATION, buf, &buf_len) == YKPIV_OK) { + n_cert++; + certs[0] = PIV_CERT_OBJ_X509_PIV_AUTH; + fprintf(stderr, "Found AUTH cert (9a)\n"); + } + + buf_len = sizeof(buf); + if (ykpiv_fetch_object(state, YKPIV_OBJ_SIGNATURE, buf, &buf_len) == YKPIV_OK) { + n_cert++; + certs[1] = PIV_CERT_OBJ_X509_DS; + fprintf(stderr, "Found SIGNATURE cert (9c)\n"); + } + + buf_len = sizeof(buf); + if (ykpiv_fetch_object(state, YKPIV_OBJ_KEY_MANAGEMENT, buf, &buf_len) == YKPIV_OK) { + n_cert++; + certs[2] = PIV_CERT_OBJ_X509_KM; + fprintf(stderr, "Found KMK cert (9d)\n"); + } + + buf_len = sizeof(buf); + if (ykpiv_fetch_object(state, YKPIV_OBJ_CARD_AUTH, buf, &buf_len) == YKPIV_OK) { + n_cert++; + certs[3] = PIV_CERT_OBJ_X509_CARD_AUTH; + fprintf(stderr, "Found CARD AUTH cert\n"); + } + + if (n_cert + token_objects_num > *len) + return CKR_BUFFER_TOO_SMALL; + + // Copy mandatory data objects + memcpy(obj, token_objects, token_objects_num * sizeof(piv_obj_id_t)); + + // Copy certificates + memcpy(obj + token_objects_num, certs, n_cert * sizeof(piv_obj_id_t)); + + *len = token_objects_num + n_cert; + fprintf(stderr, "The total number of objects for this token is %lu\n", *len); + return CKR_OK; } - -CK_RV YUBICO_get_token_object_list(piv_obj_id_t *obj, CK_ULONG len) { - -} diff --git a/ykcs11/yubico.h b/ykcs11/yubico.h index 979c71e..4e884b8 100644 --- a/ykcs11/yubico.h +++ b/ykcs11/yubico.h @@ -3,6 +3,7 @@ #include "pkcs11.h" #include "obj_types.h" +#include CK_RV YUBICO_get_slot_description(CK_UTF8CHAR_PTR str, CK_ULONG len); CK_RV YUBICO_get_slot_manufacturer(CK_UTF8CHAR_PTR str, CK_ULONG len); @@ -17,7 +18,7 @@ CK_RV YUBICO_get_token_version(CK_UTF8CHAR_PTR v_str, CK_ULONG v_str_len, CK_VER CK_RV YUBICO_get_token_mechanisms_num(CK_ULONG_PTR num); CK_RV YUBICO_get_token_mechanism_list(CK_MECHANISM_TYPE_PTR mec, CK_ULONG num); CK_RV YUBICO_get_token_mechanism_info(CK_MECHANISM_TYPE mec, CK_MECHANISM_INFO_PTR info); -CK_RV YUBICO_get_token_objects_num(CK_ULONG_PTR num); -CK_RV YUBICO_get_token_object_list(piv_obj_id_t * obj, CK_ULONG num); +//CK_RV YUBICO_get_token_objects_num(CK_ULONG_PTR num); +CK_RV YUBICO_get_token_object_list(ykpiv_state *state, piv_obj_id_t * obj, CK_ULONG_PTR num); #endif